OSNews: http://www.osnews.com/story/25610/_Cancel_or_allow_overload
Exploring the Future of Computingen-usCopyright 2001-2015, David Adamsadam+nospam@osnews.comTue, 03 Mar 2015 20:49:11 GMThttp://www.osnews.com/images/osnews.gifOSNews.comhttp://www.osnews.com
An anecdotehttp://www.osnews.com/thread?507016
http://www.osnews.com/thread?507016I was using the Woolworths application, and a particular update (accidentally) required ALL the permissions. Some of these were fairly scary sounding -- making phone calls, looking at account data. I also needed to do the update manually, because the permissions had *changed*.

Not only did I notice it, but so did a lot of others. A lot of their reviews went to 1 star with a lot of swearing about the permissions. Woolworths needed to clarify that this was a programming error and everything would be fixed shortly.

So I think a lot of people actually *do* read this stuff on Android.Tue, 14 Feb 2012 00:39:00 GMTdonotreply@osnews.com (thesunnyk)CommentsRE: An anecdotehttp://www.osnews.com/thread?507043
http://www.osnews.com/thread?507043I agree that scoring usually raise some warning about an application, But apart from that I guess that permission (like Windows UAC dialogs), are skipped like EULA usually are.

Google should weight old version score down to push these kind of adverse scoring for wrong permission.Tue, 14 Feb 2012 02:45:00 GMTdonotreply@osnews.com (dvhh)CommentsRE: An anecdotehttp://www.osnews.com/thread?507053
http://www.osnews.com/thread?507053I will also check permissions of any app I install. If the app requires permissions to somethings that I feel are unnecessary, and then I won't install it. Judging by reviews, plenty of others feel the same way.Tue, 14 Feb 2012 04:35:00 GMTdonotreply@osnews.com (OMRebel)CommentsRE[2]: An anecdotehttp://www.osnews.com/thread?507063
http://www.osnews.com/thread?507063

I will also check permissions of any app I install. If the app requires permissions to somethings that I feel are unnecessary, and then I won't install it. Judging by reviews, plenty of others feel the same way.

Me too, especially when an already installed app wants to change permissions... I look that over very carefully. For all I know, their servers may have gotten hacked and somebody pushed out a malicious version of the app.Tue, 14 Feb 2012 07:18:00 GMTdonotreply@osnews.com (WorknMan)CommentsIronyhttp://www.osnews.com/thread?507071
http://www.osnews.com/thread?507071I think I will just leave this old video here and see what happens...http://www.youtube.com/watch?v=VuqZ8AqmLPYTue, 14 Feb 2012 09:49:00 GMTdonotreply@osnews.com (Neolander)CommentsRE: Ironyhttp://www.osnews.com/thread?507086
http://www.osnews.com/thread?507086The irony there is that that ad only reinforce the blissful ignorance of security by Mac users.Tue, 14 Feb 2012 11:16:00 GMTdonotreply@osnews.com (JAlexoid)CommentsRE[2]: Ironyhttp://www.osnews.com/thread?507111
http://www.osnews.com/thread?507111To be honest, I'm afraid that only computer geeks take computer security seriously.

A significant part of desktop and laptop users in this world still run a cracked XP as administrator, with automatic updates disabled and IE 6 as their main web browser, and only hardware breakage will possibly make them switch to something else.

Then, on a more "professional" level, we can also think of all these ATMs running NT4 or OS/2, and sticking with the factory-provided PIN code for access to service functions...

Sad truth is, computer security only works on a large scale if you throw it on the newbie's face. The difficult part is to find a way to do so without harming the user experience too much, so that security warnings don't become yet another annoyance that people skim through without reading. UAC-like repetitive Cancel/Allow dialogs are a typical example of failure at this task.Edited 2012-02-14 13:42 UTCTue, 14 Feb 2012 13:36:00 GMTdonotreply@osnews.com (Neolander)CommentsUsually, not alwayshttp://www.osnews.com/thread?507118
http://www.osnews.com/thread?507118I usually look at the permissions (more often than not). Recently I installed a live wallpaper that had far too many permissions for what it did. It read shortcuts, created shortcuts, looked at contacts, etc. I removed it shortly thereafter and deleted the one shortcut it did create. I then rated it 1 star for requiring too much permission though I did praise the artwork/animation. Hey at least I'll be fair!Tue, 14 Feb 2012 14:11:00 GMTdonotreply@osnews.com (Drunkula)CommentsRE[3]: Ironyhttp://www.osnews.com/thread?507124
http://www.osnews.com/thread?507124

The difficult part is to find a way to do so without harming the user experience too much, so that security warnings don't become yet another annoyance that people skim through without reading. UAC-like repetitive Cancel/Allow dialogs are a typical example of failure at this task.

I agree with you on this point; desensitization to security by things like overactive security prompting is a serious concern. But so is the attitude by many users of alternative platforms such as Mac OS who proclaim that they're perfectly safe because "Macs don't get viruses".

I'm including platforms like Linux and FreeBSD in that statement as well - and I say that as a Linux user. While I do recognize that there is a reduced risk of malware, I always respect that there are perfectly adequate conditions for them to exist. I even treat the age-old advice to "stick with repositories and you're perfectly safe" as a half-truth; those repositories have the potential to be compromised if someone has enough knowledge and determination.

Security by scarcity only works as long as it's felt that the effort expended to create something sinister is more than the potential gain. It's difficult to pinpoint that threshold, and with growing popularity the risk increases every day.

To be honest, I'm afraid that only computer geeks take computer security seriously.

Too true. Too many people simply rely that "Norton will protect me", "Microsoft will protect me", "Apple will protect me", "Google will protect me", etc. And while I understand that nobody can get anything accomplished if they don't at least rely on trusting others, there's a big difference between giving a large corporate entity 100% of your trust or 99% of your trust.Tue, 14 Feb 2012 14:27:00 GMTdonotreply@osnews.com (sparkyERTW)CommentsRE[3]: An anecdotehttp://www.osnews.com/thread?507127
http://www.osnews.com/thread?507127

"I will also check permissions of any app I install. If the app requires permissions to somethings that I feel are unnecessary, and then I won't install it. Judging by reviews, plenty of others feel the same way.

Me too, especially when an already installed app wants to change permissions... I look that over very carefully. For all I know, their servers may have gotten hacked and somebody pushed out a malicious version of the app. "

I check the permissions of every single app I install on my Transformer, and in some ways it's taken a little bit of the shine off the tablet experience for me. It's astounding how many apps - put out by companies that most would consider "reputable" - have permissions that, really, they shouldn't need.

For example, I haven't upgraded my Netflix app (and I might even just uninstall it) because the updated permissions allow it to read the system logs... why the hell does Netflix need to know what goes on deep in the bowels of my tablet?!

Part of what bugs me is that there's never any justification given whatsoever. Sure, some permissions I can figure out the developers need it for, but there are also plenty of times I'm scratching my head as to why they need something so unrelated or low-level. But there's nowhere I can go to find out where that decision came from (short of contacting the devs, I suppose).Tue, 14 Feb 2012 14:37:00 GMTdonotreply@osnews.com (sparkyERTW)CommentsRE[4]: Ironyhttp://www.osnews.com/thread?507131
http://www.osnews.com/thread?507131Yes, disinformation campaigns of the kind "xxx is based on UNIX, so it is invincible" certainly do more harm than good.

After all, scanf() is historically a function of the standard UNIX library, and most Unices used MD5 for password hashing purposes before its vulnerabilities became widely known. Meanwhile, on the Windows side, Microsoft got some nice stuff out of the door in the Vista days (DEP, ASLR, IE sandboxing...), even though they still have lots of past mistakes to correct, some of which they might not want to deal with (such as the excessive use of Trident all over the most critical UI elements).

In the end, I believe that what makes current desktop *nix boxes more secure is only a combination of small market share and higher user education. Give Macs and Linux boxes a larger market share and less computer-literate users, and I bet that in a few years the platform will be an absolute security nightmare. Centralized repositories like the Mac App Store won't help, because their operation requires trusting so much manpower that they will be an easy target for a determined attacker. At worst, they may even serve as a privileged channel to steal credit card information and create massive botnet networks through fake application updates, due to their overreaching nature.

In my opinion, the secure OS of tomorrow must not rely solely on centralized vetting and will also implement strong security checks at the client level. In addition, OS developers will have to cooperate better with developers to reduce the minimal amount of security permissions which an average application requires, so that it is safe to display no warning to the user when installing an harmless soft (video game, office suite, media player...).

This way, security warnings would have much more impact, striking users as something out of the ordinary and highly suspicious. For knowlegeable users who actually want to install something dangerous (drivers, etc...), said security warnings could also be more informative, clearly stating which permissions are required and what is their effect (kind of like what Android does). This would allow one to quickly check that a given piece of software is not allowed to do more than it's supposed to.Edited 2012-02-14 15:30 UTCTue, 14 Feb 2012 15:22:00 GMTdonotreply@osnews.com (Neolander)CommentsComment by skeezixhttp://www.osnews.com/thread?507137
http://www.osnews.com/thread?507137Too bad the author doesn't allow commenting; I wanted to congratulate him on a good article. I love Android's up-front permissions question, but I think that it'd be really handy to turn permissions on and off as needed -- sometimes I'd really love to use an app but it wants to be a bit more free with my data than I'd like, and why couldn't I just turn off certain features?

I'm dreaming up a web app that may or may not allow third-party plugins, and this would be an ideal permission system to use.Tue, 14 Feb 2012 17:18:00 GMTdonotreply@osnews.com (skeezix)CommentsRE[5]: Ironyhttp://www.osnews.com/thread?507155
http://www.osnews.com/thread?507155Couldn't agree more.

Security only works when you pay attention to it everyday. Yes it hurts, but only that way you can be sure to be safe.

Fact is, any operating system is insecure if you do not take care of it.

Windows can be made as secure as any Unix, and Unix can be as insecure as Windows is usually made to believe.

There are Linux users running as root because sudo is as annoying as UAC (their words not mine).

Plus if you don't run the applications inside a sandbox like SELinux, AppArmor, Mac OS-X Sandboxes, HP-UX Virtual Partitions, among others, an application can always be owned and destroy/use all the $HOME contents.Tue, 14 Feb 2012 19:27:00 GMTdonotreply@osnews.com (moondevil)CommentsRE[4]: An anecdotehttp://www.osnews.com/thread?507168
http://www.osnews.com/thread?507168

Part of what bugs me is that there's never any justification given whatsoever. Sure, some permissions I can figure out the developers need it for, but there are also plenty of times I'm scratching my head as to why they need something so unrelated or low-level. But there's nowhere I can go to find out where that decision came from (short of contacting the devs, I suppose).

I've actually done that before. When I installed the Slacker radio app and saw that it wanted permission to access my contacts, I went to their forums and asked why. I forget what they said, something about sharing a song with friends or some such. But it sounded legit to me, so I went ahead and let it through.Tue, 14 Feb 2012 20:42:00 GMTdonotreply@osnews.com (WorknMan)CommentsRE[5]: An anecdotehttp://www.osnews.com/thread?507228
http://www.osnews.com/thread?507228The querstion is though, why is this permission *required*? Maybe I dont want to share songs with my friends.
A properly designed application should degrade gracefully to running with less features with less permissions if the feature isn't absolutely necessary.Wed, 15 Feb 2012 06:39:00 GMTdonotreply@osnews.com (Soulbender)CommentsRE[6]: An anecdotehttp://www.osnews.com/thread?507294
http://www.osnews.com/thread?507294

The querstion is though, why is this permission *required*? Maybe I dont want to share songs with my friends.
A properly designed application should degrade gracefully to running with less features with less permissions if the feature isn't absolutely necessary.

There are 3rd party firewall apps that let you deny specific permissions to any app, but I'm not sure there's a way for an application developer to make permissions optional in Android when you install the app. So, this seems like a limitation of the OS.

In addition to making these optional, I'd like to see a small description field by each permission, where the developer can tell you at install time why a specific permission is needed. Of course, they could always lie, but at least they'd have to come up with something that sounded legit.Wed, 15 Feb 2012 20:00:00 GMTdonotreply@osnews.com (WorknMan)CommentsRE[2]: Ironyhttp://www.osnews.com/thread?507926
http://www.osnews.com/thread?507926

A significant part of desktop and laptop users in this world still run a cracked XP as administrator, with automatic updates disabled and IE 6 as their main web browser

*but then, it's also possible that part is somewhat greater than 1.5% - but less visible in web stats, used less intensively online (which OTOH would also mean smaller exposure to attack vectors...)Mon, 20 Feb 2012 21:53:00 GMTdonotreply@osnews.com (zima)Comments